一、建立自簽憑證提供網站使用SSL
二、安裝Apache與設定
1.安裝Apache與php-fpm
yum install -y httpd httpd-tools php-fpm
2.安裝SSL套件
yum install -y mod_ssl openssl
3.設定 apache 設定檔
vi /etc/httpd/conf/httpd.conf
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
#改成你自己的系統管理者電子郵件信箱
ServerAdmin root@yourdomain
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName www.example.com:80
#改成你自己的主機名稱
ServerName yourdomain:80
<Directory "/var/www/html">
#Options Indexes FollowSymLinks
Options FollowSymLinks <==拿掉 Indexes,當找不到index.html時,不顯示整個目錄下的檔案
AllowOverride None
Order allow,deny
Allow from all
</Directory>
#設定mod_mpm_event相關參數
<IfModule mpm_event_module>
StartServers 3
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 30
MaxConnectionsPerChild 1000
</IfModule>
4.替換Server mpm
vi /etc/httpd/conf.modules.d/00-mpm.conf
加上#符號關閉原有mpm套件
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
移除#符號啟用新的套件
LoadModule mpm_event_module modules/mod_mpm_event.so
5.編輯php-fpm設定檔
vi /etc/php-fpm.d/www.conf
;listen = 127.0.0.1:9000
listen = /var/run/php-fpm/default.sock
listen.allowed_clients = 127.0.0.1
listen.owner = apache
listen.group = apache
listen.mode = 0600
6.新增php-fpm給apache使用的設定檔
vi /etc/httpd/conf.d/php.conf
# Tell the PHP interpreter to handle files with a .php extension. # Proxy declaration <Proxy "unix:/var/run/php-fpm/default.sock|fcgi://php-fpm"> # we must declare a parameter in here (doesn't matter which) or it'll not register the proxy ahead of time ProxySet disablereuse=off </Proxy> # Redirect to the proxy <FilesMatch \.php$> SetHandler proxy:fcgi://php-fpm </FilesMatch> # # Allow php to handle Multiviews # AddType text/html .php # # Add index.php to the list of files that will be served as directory # indexes. # DirectoryIndex index.php # # Uncomment the following lines to allow PHP to pretty-print .phps # files as PHP source code: # #<FilesMatch \.phps$> # SetHandler application/x-httpd-php-source #</FilesMatch>
7.開啟防火牆80 port,CENTOS 7 開始更改防火牆設定請依下列步驟開放,永久開放下列兩個通訊埠
新增80、443 port
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
更新防火牆規則
firewall-cmd --reload
查看zone,依據該值執行相關查詢防火牆設定指令
firewall-cmd --get-default-zone
查看現在zone開放的服務
firewall-cmd --zone=public --list-all
查看防火牆永久設定
firewall-cmd --zone=public --list-all --permanent
8.設定SELinux規則,以免某些php程式無法執行
setsebool -P httpd_read_user_content 1
setsebool -P httpd_anon_write 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_check_spam 1
setsebool -P httpd_can_network_memcache 1
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_enable_homedirs 1
setsebool -P httpd_execmem 1
setsebool -P httpd_mod_auth_pam 1
setsebool -P httpd_use_sasl 1
setsebool -P httpd_verify_dns 1
啟動apache後檢查var/log/httpd/error_log 看看是不是有AH00035錯誤,若有則執行下列語法
restorecon - R 有錯的目錄或檔案名稱
setsebool -P httpd_enable_homedirs 1
chcon -R --type=httpd_sys_content_t 有錯的目錄或檔案名稱
使用指令檢視目錄SELINUX屬性
ls -Z
9.停止與啟動 apache php-fpm
(1)開機自動啟動
systemctl enable php-fpm
systemctl enable httpd
(2)啟動或停止php-fpm
systemctl start php-fpm
或
service php-fpm start
重新啟動
systemctl restart php-fpm
停止
systemctl stop php-fpm
(3)啟動或停止apache
systemctl start httpd
或
service httpd start
重新啟動 apache
systemctl restart httpd
停止apache
systemctl stop httpd
檢視執行狀態 systemctl status httpd.service
備註:同時重啟動apache、php-fpm
三、設定/etc/httpd/conf.d/ssl.conf 設定新建立的憑證位置,請將紅色文字修改為自己建立的憑證檔 找到下列文字: # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/pki/yourdomain/certs/yourdomain.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/pki/yourdomain/private/yourdomain.key #SSLv3或以下版本有安全性問題,故關閉該功能 SSLProtocol all -SSLv2 -SSLv3 四、啟用SSL 方法一、設定Apache虛擬主機 1.備份/etc/httpd/conf/httpd.conf 2.於/etc/httpd/conf/httpd.conf
檔案後面加上下列字串
# Listen for virtual host requests on all IP addresses
#NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/yourdomain/certs/yourdomain.crt SSLCertificateKeyFile /etc/pki/yourdomain/private/yourdomain.key <Directory /var/www/html/受保護的目錄> AllowOverride All </Directory> DocumentRoot /var/www/html/受保護的目錄 ServerName www.yourdomain </VirtualHost> #設定重導向,http重導向為https,需安裝mod_rewrite RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*)?$ https://%{SERVER_NAME}$1 [L,R] 3. 重新啟動apache systemctl restart httpd
方法二、
編輯/etc/httpd/conf.d/ssl.conf
Listen 443
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
DocumentRoot "/var/www/受保護的目錄"
ServerName *:443
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/yourdomain/certs/yourdomain.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/yourdomain/private/yourdomain.key
</VirtualHost>
備註:
檢查某模組安裝狀態,例:mod_deflate
方法1:
[root@ts1 ~]# apachectl -t -D DUMP_MODULES | grep deflate
deflate_module (shared)
方法2:
[root@ts1 ~]# more /etc/httpd/conf.modules.d/00-base.conf | grep deflate
LoadModule deflate_module modules/mod_deflate.so
檢查 apache 版本
httpd -v
httpd -V
檢查 apache 載入模組
http -M
參考資料:
https://www.tecmint.com/apache-performance-tuning/
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
https://www.stephenrlang.com/2018/02/centos-7-apache-2-4-with-php-fpm/
留言列表